instascan-pro

Problem

Software as a Service (SaaS) platforms expose programmable interfaces to their authenticated users. These web services enable action automation and secure exchange of information. For authorization, users provide a unique token that confirms their access rights to the web service. Access tokens for supported web services are automatically validated via the least privilege APIs the service exposes. Detected tokens have been accepted as valid by the services they are associated with. This indicates they are currently active and may be abused if exposed to the public. Web service access tokens are considered secrets. They should never be included in a software release package, even if they are obfuscated by encryption on the client-side.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Problem

Operating systems allow multiple user accounts to coexist on a single computer system. Each registered user has identity information associated with their account. At the very least, user accounts consist of a user name and an optional password. In some cases, user account data may also include personally identifiable information. Extended personal information may include user's given and last name, their email and mailing address, personal photo and their telephone number. Financially motivated attackers may seek to collect personal information for purposes of selling the private data to a third-party. Malicious code that typically exhibits these behavior traits is commonly referred to as an information stealer. While the presence of code that accesses identity information does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Accessing identity information is a very common behavior for software packages. One example of acceptable use for such functions is verifying that the active user has purchased a software license that allows them to run the application.